Regular Expression Denial of Service

Module: tough-cookie

Published: September 21st, 2017

Reported by: Cristian-Alexandru Staicu



Vulnerable: <2.3.3
Patched: >=2.3.3


The tough-cookie module is vulnerable to regular expression denial of service. Input of around 50k characters is required for a slow down of around 2 seconds.

Unless node was compiled using the -DHTTP_MAX_HEADER_SIZE= option the default header max length is 80kb so the impact of the ReDoS is limited to around 7.3 seconds of blocking.

At the time of writing all version <=2.3.2 are vulnerable


Please update to version 2.3.3 or greater


Sign up FREE for
nsp Continuous Security

Free for open source and the first private repo,
then just $1/mo per private repo